Title: Identity Theft Prevention Program
Policy Number: A126.96.36.199
Responsible Department: University Financial Services & Treasury
Magsino, Chique Lingao
Risk Management Associate
Effective Date: 2009-05-16
Next Review Date: 2014-06-30
Approval Date: 2011-07-26 08:19:52.0
May 16, 2009 - WesternU Board of Trustees reviewed and approved this policy.
16 Code of Federal Regulations 681.2
It is the policy of Western University of Health Sciences (WesternU) to establish and maintain Covered Accounts in a manner that reasonably protects against forseeable risks of identity theft.
To detect, prevent, and mitigate identity theft in connection with Covered Accounts described in this policy.
Whenever the University receives or identifies one or more Red Flags with respect to any Covered Account, the University will determine and implement an appropriate response designed to mitigate against unauthorized transactions or other forms of identity theft.
Appropriate responses may include, but are not limited to (1) contacting the student or other customer; (2) monitoring the affected account for evidence of identity theft; (3) changing any passwords, security codes or other security devices that permit access to a Covered Account; (4) reopening a Covered Account with a new account number; (5) not opening a new account; (6) closing an existing account; (7) not attempting to collect on a covered account or not selling a covered account to a debt collector; (8) notifying law enforcement; or (9) determining that no response is warranted under the particular circumstance.
All University employees with assigned responsibilities relating to any Covered Account shall immediately report any identified Red Flags to the Identity Theft Program Manager who will determine an appropriate response. In determining an appropriate response, the Identity Theft Program Manager may consult with other appropriate officials of the University, such as the Chief Financial Officer, the Director of Financial Aid, the Executive Director of Information Technology, or General Counsel.
The Identity Theft Program Manager, under the supervision of the Chief Financial Officer, has responsibility for general oversight of the Identity Theft Program. The Manager shall implement appropriate training of all University employees with assigned responsiblities for any Covered Account concerning the Identify Theft Program and procedures intended to protect against potential identity theft. The Manager shall provide the Chief Financial Offier with periodic reports (including at least an annual report) that will provide summary information concerning identified Red Flags, any reported incidents of identity theft with respect to any Covered Accounts and recommendations for changes, if any, with respect to the Identity Theft Program.
Covered Accounts include (1) any account offered or maintained by the University which is primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions, such as student loan or financial aid accounts; and (2) any other account offered or maintained by the University for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.
Red Flags include (1) alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; (2) the presentation of suspicious documents; (3) the presentation of suspicious personal identifying information, such as a suspicious address change; (4) the unusual use of, or other suspicious activity related to a Covered Account; (5) notice from customers, victims of identity theft, law enforcement authorities or other persons regarding possible identify theft in connection with a Covered Account; and (6) any other suspicious activity identified by the University as presenting a foreseeable risk of identity theft.
Identity Theft Program Manager is the University's Risk Manager or such other official as is designated by the Chief Financial Officer.